From: Mimi Zohar <zohar@linux.ibm.com>
To: Vitaly Chikunov <vt@altlinux.org>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
linux-integrity@vger.kernel.org
Subject: Re: [PATCH 2/3] ima-evm-utils: Remove not needed argument from verify_hash_v2
Date: Thu, 18 Jul 2019 19:23:21 -0400 [thread overview]
Message-ID: <1563492201.4539.339.camel@linux.ibm.com> (raw)
In-Reply-To: <20190718213510.10829-2-vt@altlinux.org>
On Fri, 2019-07-19 at 00:35 +0300, Vitaly Chikunov wrote:
> Since we now always call verify_hash_v2() with NULL keyfile (assuming
> all keys are already loaded into public_keys list), remove keyfile
> argument and its handling from verify_hash_v2().
>
> Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Thanks!
> ---
> src/libimaevm.c | 21 +++++++--------------
> 1 file changed, 7 insertions(+), 14 deletions(-)
>
> diff --git a/src/libimaevm.c b/src/libimaevm.c
> index 97b7167..b153f1b 100644
> --- a/src/libimaevm.c
> +++ b/src/libimaevm.c
> @@ -453,7 +453,7 @@ void init_public_keys(const char *keyfiles)
> * Return: 0 verification good, 1 verification bad, -1 error.
> */
> int verify_hash_v2(const char *file, const unsigned char *hash, int size,
> - unsigned char *sig, int siglen, const char *keyfile)
> + unsigned char *sig, int siglen)
> {
While making this change, could we also make both this and
verify_hash_v1() functions static? Should I make the change?
Mimi
> int ret = -1;
> EVP_PKEY *pkey, *pkey_free = NULL;
> @@ -467,20 +467,13 @@ int verify_hash_v2(const char *file, const unsigned char *hash, int size,
> log_dump(hash, size);
> }
>
> - if (public_keys) {
> + pkey = find_keyid(hdr->keyid);
> + if (!pkey) {
> uint32_t keyid = hdr->keyid;
>
> - pkey = find_keyid(keyid);
> - if (!pkey) {
> - log_err("%s: unknown keyid: %x\n", file,
> - __be32_to_cpup(&keyid));
> - return -1;
> - }
> - } else {
> - pkey = read_pub_pkey(keyfile, 1);
> - if (!pkey)
> - return -1;
> - pkey_free = pkey;
> + log_err("%s: unknown keyid: %x\n", file,
> + __be32_to_cpup(&keyid));
> + return -1;
> }
>
> st = "EVP_PKEY_CTX_new";
> @@ -581,7 +574,7 @@ int verify_hash(const char *file, const unsigned char *hash, int size, unsigned
> key = "/etc/keys/pubkey_evm.pem";
> return verify_hash_v1(file, hash, size, sig, siglen, key);
> } else if (sig[0] == DIGSIG_VERSION_2) {
> - return verify_hash_v2(file, hash, size, sig, siglen, NULL);
> + return verify_hash_v2(file, hash, size, sig, siglen);
> } else
> return -1;
> }
next prev parent reply other threads:[~2019-07-18 23:23 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-18 21:35 [PATCH 1/3] ima-evm-utils: Remove indirect call to subfunctions in verify_hash Vitaly Chikunov
2019-07-18 21:35 ` [PATCH 2/3] ima-evm-utils: Remove not needed argument from verify_hash_v2 Vitaly Chikunov
2019-07-18 23:23 ` Mimi Zohar [this message]
2019-07-18 23:26 ` Vitaly Chikunov
2019-07-18 21:35 ` [PATCH 3/3] ima-evm-utils: Improve OpenSSL error reporting Vitaly Chikunov
2019-07-18 23:23 ` Mimi Zohar
2019-07-18 23:24 ` [PATCH 1/3] ima-evm-utils: Remove indirect call to subfunctions in verify_hash Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1563492201.4539.339.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=vt@altlinux.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).